If the Glove Doesn’t Fit, the Role of Lossless Capture in Cyber Security

May 23, 2017

Written by Ahmet Houssein

Tune into any TV crime drama during the past decade, and you’ll see the Crime Scene Investigation (CSI) unit sweep into the murder scene, tape off the area, photograph and bag and tag all potentially relevant evidence establishing a chain of custody. The investigators then begin building a timeline of the events leading up to the murder so they can assign attribution for the crime.

Forensics evidence and collection in the world of cyber security is strikingly similar. In cyber security, most enterprises would ideally like to detect the moment a digital gun is fired so they can block the virtual bullet from causing any real damage. With cyber security, this means “listening” to all the data in-flight within a company, and then scanning that data for signals matching the profile of a digital gun shot. It should be noted that to do an effective job you need to listen to every byte of data moving within an enterprise to ensure you don’t miss that virtual gun shot. From a cyber security perspective, this means capturing every network packet within the organization, across the entire organization. Miss even one packet of network data, and you could fail to detect a security breach that could cost your company untold losses.

For three decades, cyber security has been focused on creating a hard shell around the soft chewy center of the enterprise. Before the advent of phishing and website exploit kits that can create endpoint beachheads into your enterprise, this hard-outer shell approach was adequate. Now it only takes a single employee falling prey to a phishing exploit or visiting an infected website to expose the entire enterprise. Exploits today communicate with their command and control centers using a connection that mimics a user generated outbound secure browser connection. In doing so they establish a tunnel and then begin exporting all of that endpoint’s secrets. Most perimeter security appliances will see this outbound connection as something normal, as user initiated, and since it is encrypted via SSL breach detection tools will likely let it pass. In parallel the exploit will often quickly and systematically walk your entire corporate network leveraging the hacked user’s credentials to locate file shares and intranet websites containing potentially valuable corporate secrets to also export. It will then leverage the user’s digital address book and email account to send out the phishing exploit to others within the company. Since it is coming from inside the company, and likely a trusted individual, the email and attachments are much more likely to be opened and the exploit launched. The expected outcome being that people with greater privilege will be infected thereby exposing even more valuable secrets.

So, what role does enterprise wide lossless network packet capture play? With the proper wire-rate capture solution one can store copies of everything going on within the network. These new streams of data can then be connected locally to applications like BRO, Snort, Suricata or others. Originally, these tools were designed to look for suspicious patterns in perimeter network data, today they are being repurposed to find internal network threats. If all of this sounds like too much there are a host of companies that sell appliances built on these products: Cisco, Reservoir Labs, Bricata, etc… While these solutions can all be utilized to great effect, newer approaches that leverage big data, and artificial intelligence are rapidly gaining traction.

Splunk took an early lead in this space by providing a cloud service with an associated local plug-in to stream all the captured network packets, in bulk, up to the cloud for processing. Their cloud service then looked for patterns and suggested actions to their subscribers. By having many subscribers Splunk is essentially able to apply some of the concepts of crowd sourced learning to refine their pattern detection algorithms. Building on this and rolling in additional big data capabilities Cloudwick entered the scene.

Some enterprises don’t fancy the idea of shipping everything going on inside their company to some cloud service that charges by the byte. So rather than shipping bulk data offsite for processing Cloudwick brings the big data machinery into your network in the form of a Hadoop Cluster called a data lake. They then work with you to determine what it is you want to capture, and what types of specific threats you want to detect using that data. JASK borrowed some of the best ideas of local analysis tools initially mentioned, along with the cloud and big data concepts of both Splunk and Cloudwick.

Like Splunk, JASK runs an agent locally against all the captured data in real time then streams something up to the cloud. While Splunk’s agent simply streams everything directly to their cloud, JASK’s agent applies a rich set of detection algorithms using an open source security application to process the raw captured data and only stream a derivative of that data to their cloud. This derivative data is a small fraction of the original data, and an abstraction of that data, so companies concerned about shipping their secrets to the cloud can be less fearful. JASK then applies state-of-the-art artificial intelligence (AI) engine to this abstracted data to intelligently alert the companies administrators to a threat.

Next year Snort, perhaps the oldest, and most widely used open source security tool, will celebrate its 20th anniversary. Of the many things we’ve learned over the past 20 years is that two of the primary keys to thwarting a breach or solving a cyber-crime are collection and detection. Without lossless capture, how would you even know if you’ve collected everything?

Ahmet Houssein

Vice President Marketing & Strategic Development, Solarflare

Ahmet Houssein is responsible for establishing marketing strategies and implementing programs to drive revenue growth, enter new markets and expand brand awareness to support Solarflare’s continuous development and global expansion. He has over twenty-five years of experience in the server, storage, data center and networking industry, and held senior level executive positions in product development, marketing and business development at Intel and Honeywell. Most recently Houssein was SVP/GM at QLogic where he successfully delivered first to market with 25Gb Ethernet products securing design wins at HP and Dell. One of the key leaders in the creation of the INFINIBAND and PCI-Express industry standard. Houssein is a recipient of the Intel Achievement Award and was a founding board member of the Storage Network Industry Association (SNIA), a global organization of 400 companies in the storage market. He has been educated in London, UK and holds an Electrical Engineering Degree equivalent.